Incident Investigation ๐Ÿ”Ž ๐Ÿฅท

๐Ÿ›ก Defence Mechanisms

๐Ÿ”Ž Incident Investigation

Once the incident is confirmed, you need to perfrom an investigation in order to be able fully contain it and remediate. This phase is also crucial to the threat intelligence collection which allows for more targeted hunting for adversaries accross the infrastructure. I found it quite hard to separate incident response and digital forensics articles from one another. For now I am seeing incident response as a more general process that could require more thorough examination (digital forensics) but not neccessarilly. As I see it, we have an event, start IR process to determine whether it’s malicious. Identify compromised hosts and map the artifacts to ATCK MITRE framework. Then, to be able to fully contain and remediate the incident, we call for DF, trying to analyse malware, analyse the registry on Windows, recover data from unallocated space etc in order to reconstruct the whole picture in detail. So, roughly speaking, IR is about sketching and DF is about details.

๐Ÿงน Containment, Eradication and Recovery

This section is dedicated to limiting and cleaning up the mess. It’s presumed that initial investigation has been conducted and now we have enough information to perform cleaning up.

โฑ๏ธ Timelines And Timestamps

Time formats and Standards GMT and UTC are the same and usually are used interchangeably. Although, there is some difference: https://www.

DFIR Methodology

This is about … .

๐Ÿ’ผ Sample Cases